Tips to comply with HIPAA's new privacy regulations
From the May ACP-ASIM Observer, copyright © 2002 by the American College of Physicians-American Society of Internal Medicine.
By Jason van Steenburgh
When HHS in March proposed revising the federal government's new rules regulating the privacy of medical information, many were left shaking their heads in confusion.
After all, the rules, which were designed to protect patient information, are supposed to take effect in April 2003. Last-minute changes have many physicians wondering how they can comply with guidelines that are a moving target—and whether they should even bother to try.
While HHS made a major shift by proposing that health care providers no longer need consent to use patient health information, most of the proposed changes were aimed at clarifying some of the original guidelines' more confusing aspects.
One thing that has not changed, however, is the deadline for the new rules. With the April 2003 deadline looming, you need to start preparing your practice to comply with at least those aspects of the law that aren't likely to change.
Here are some tips to help you cut through the confusion—and to make sure that your practice complies with the new privacy rules when they take effect.
The privacy guidelines are part of the Health Insurance Portability and Accountability Act (HIPAA), legislation created to simplify and secure the flow of health care information. While the privacy rules are just one part of the law, they have generated the most anxiety—and confusion—among physicians.
The HIPAA privacy regulations apply to all types of personal health information, whether electronic, written, typed or spoken. While the rules won't require earth-shattering changes, they will require most physicians to alter the way they do business.
For example, you'll have to designate a privacy officer to make sure you're in compliance and to handle patient concerns and complaints about privacy violations. If you're part of a small practice, you don't have to hire a new staff person to fill this role. You can instead give the job to someone already on staff.
To start, conduct a walk-through of your practice to look for potential leaks of private patient information. Mike Fleischman, vice president of the Atlanta-based health care consulting firm Gates, Moore & Company, suggested paying particular attention to your waiting room.
On your sign-in sheets, for example, don't ask patients to list personal information—such as the reason for their visit or their social security number—next to their names. If you have slots for charts near or on office doors, consider having your staff place documents face down to hide patients' names. And don't keep your fax machine in a public place where anyone can view incoming faxes.
The privacy rules do not require you to soundproof rooms, encrypt your telephones or make major structural changes to your practice. They simply state that you must take reasonable steps to prevent the careless distribution of private patient information. (For more clarification on misunderstandings about HIPAA, see "Six myths about the new rules protecting patient privacy," below.)
Mr. Fleischman said that while you'll probably have to fine-tune parts of your practice, you won't need a complete overhaul. To protect the privacy of patient information being viewed on computer screens, for example, he suggested simply repositioning the screen so people walking by can't take a peek.
"It might take just a five-degree turn to hide it from the eyes of people walking past," he explained. "Most of this regulation is just legislation of common sense."
In its proposed changes earlier this year, HHS clarified its thinking on accidental disclosures of oral information.
Although the rules have always said that practices must simply take "reasonable" steps to ensure the privacy of oral communications, many have misinterpreted the rules as saying that any disclosure, no matter how small or accidental, would be considered a violation. In its March proposal, HHS made clear that an isolated, incidental disclosure of private health information during the course of treatment is not a violation of the rules.
Steven S. Lazarus, president of Boundary Information Group, a national alliance of consultants that offers HIPAA services, said that the number of people who are privy to private information is an important key to determining whether you are violating the privacy provisions.
"If a patient overhears a sensitive discussion while walking by an examination room door," he explained, "that is very different from a practice that repeatedly has these conversations in front of a large group of patients in the waiting room."
As a result, solutions don't have to be complicated. Margaret Daulton, an administrator for Associates for Women's Medicine, an ob-gyn group in Syracuse, N.Y., said that to protect the privacy of oral communications, one of her offices moved some sensitive functions away from the reception desk. "We moved the area where nurses do callbacks and changed the registration process so that patients have a more private area to sign in," she explained.
Inside your practice
Because the privacy guidelines were created to give patients control of their health information, patients must authorize certain uses of it. They also have the right to examine and request changes to their information.
Originally, the privacy rules required patients to sign consent forms before physicians could use their information for treatment decisions, to obtain payment for services or for any other administrative purpose. In its March proposal, however, HHS said it would no longer require physicians and other providers to get signed consent from patients. If the proposal is finalized, you would need only to ensure that patients are aware of their privacy rights.
One thing is clear: Under both the existing and proposed privacy rules, you must inform patients of their privacy rights by posting a "notice of privacy practices" in plain view. It must include contact information for your privacy officer and the Office of Civil Rights, the federal agency that will enforce the privacy rules.
Both old and new versions of the privacy rules clearly state that people involved in "treatment" must have unfettered access to patient information. A physician with admitting privileges at a hospital, for example, can freely give the hospital patient information needed for treatment without worrying about privacy issues.
Your employees' access to patient health information, however, will vary. The privacy regulations state that employees may access only the health information they need to do their jobs, a rule known as the "minimum necessary standard." In other words, you should give staff members health information on a "need-to-know" basis.
If you work in a small practice where staff members wear several different hats, every employee may need total access. In larger practices, however, clerical and legal staff probably won't need unlimited access to patient information.
To comply, you'll need to evaluate all the positions in your practice to determine what type of access each person needs. Instead of rewriting each job description, however, Mr. Lazarus suggested categorizing staff according to their role. Specify in your policies and procedures, for example, that anyone in a clerk role has a certain level of access, then indicate in their job descriptions which employees function as clerks.
To assess your compliance, the Office of Civil Rights will examine documentation that shows you have trained your staff to protect patient information. "You must train your employees continuously—every six months or once a year," said Patrick Hope, Esq., Legislative Counsel for the College's Washington office. "New employees should be trained right away."
Outside your practice
While the changes HHS proposed in March raise questions about whether you'll need a consent form to use patient information for treatment, you'll clearly need patient authorization to use their health information for other purposes.
If you want to give patient information to parties not directly involved in patient care—such as insurance companies, financial institutions or employers—you must have patients sign an authorization form. Because the rules say that these authorization forms must have an expiration date, you'll need to update them periodically, giving patients a chance to change their minds about who sees their information.
Besides patient authorization forms, your practice will need five other forms. These forms allow patients to inspect and copy their information, restrict who receives it, deny access to it, amend it and get a list of who has seen it. (All six forms are available for free from the ACP-ASIM Practice Management Center's HIPAA Privacy Manual at www.acponline.org/pmc.)
To let patients know who has seen their information, you'll need to track exactly how you distribute patient information. While software can help you track the flow of patient data, most physicians will need to do a better job of monitoring patient information flow in their practices.
One note: If patients don't authorize you to disclose their information for purposes unrelated to treatment, you can't deny treatment. If you have told patients that the goal of a particular treatment is to gather information or conduct research, you might be able to deny treatment, but the exception is not clear.
Parties other than patients can also access patient health information, but only if they have the patient's permission. Family members and even friends, for example, can pick up prescriptions, X-rays and medical supplies, as well as make appointments for patients. The regulations say that physicians must determine who has the patient's authorization.
Under the proposed changes, parents and legal guardians would automatically have access to their children's records unless state laws say otherwise. Legal authorities requiring patient information for law enforcement purposes also have access without patient authorization under both the existing and new rules.
What about other organizations or individuals that provide services to your practice? The privacy regulations allow you to give these "business associates" the information they need to carry out services, but nothing more.
In your contracts with business partners, you must stipulate that they can use patient information only to provide specified services. Your contracts must also require these organizations to inform you if they violate any privacy rule provisions.
Although you won't be expected to enforce your business associates' compliance with the privacy rules, you must demand that they change their behavior if you know they are in violation. If a business associate repeatedly violates the rules, you should terminate the relationship as soon as possible.
Many practices say they have done little to implement the new rules. You can't begin to train your employees until you complete your policies and procedures, which you can't do until the final guidelines are set. (At press time, it was not clear if and when proposed changes to the privacy rules would be finalized.)
While that may be true, consultants say you can begin by addressing the elements of the rules that are not in flux. Begin by picking a privacy officer, identifying your business associates, investigating methods to train your staff and developing a system of sanctions for employees who violate the privacy law.
Mr. Lazarus said that assessing where personal health information flows within your practice is a good starting point. Review your policies and procedures and interview your staff on the subject. Develop a work plan with a timeframe through April 2003, he said.
Also remember that if you don't bring your practice up to snuff, you could face fines and penalties. According to the College's Mr. Hope, fines start at $100 for each violation and are capped at $25,000 for each requirement violated. Those who violate HIPAA knowingly or for financial gain, however, can face much stiffer penalties, including up to 10 years in prison and fines of up to $250,000.
Mr. Hope predicted that much of the real-world application of the privacy rules will be sorted out in court after the compliance date, but that physicians need to start discussing implementation now.
"Privacy is here to stay because Congress wants it," he explained. "The big question is, When are we going to comply?"
1. You can't use patients' names in the waiting room. While this was never true, the latest version of the rules specifically states that calling out patient names is not a problem.
2. Charts must be kept in locked drawers or rooms at all times. You should always try to hide the contents of patients' charts from people who are not directly involved in their care. If someone accidentally sees a bit of information on a patient's chart, however, it is not a violation.
3. You need business associate contracts with everyone with whom you do business. You need business associate contracts only with those companies that receive health information from you for purposes other than treatment.
4. You can't make a referral or give health information to other providers who are caring for the patient without the patient's consent. Anyone directly involved in patient care does not need the patient's consent to see his or her information, nor does the minimum necessary standard apply to people who treat patients.
5. Residents and medical students will be inhibited by the privacy regulations. The rules specifically state that consent to a provider is the same as consent to anyone the provider is training to treat that patient.
6. Providers must track the movement of every bit of personal health information. You must track only disclosures outside of the practice for purposes not directly related to treatment.
The College's Practice Management Center has developed the HIPAA Privacy Manual, which includes a sample notice of privacy practices, a sample business associate contract, authorization forms, sample privacy policies and procedures, templates, checklists, a glossary of terms and a step-by-step guide to implementation in your office. The manual will be updated periodically as HIPAA rules change.
College members can get a free copy of the manual at www.acponline.org/pmc.
Internist Archives Quick Links
What will you learn from your Annals Virtual Patient?
Annals Virtual Patients is a unique patient care simulator that mirrors real patient care decisions and consequences. CME Credit and MOC Points are available. Start off with a FREE sample case. Start your journey now.
Products and Resources for Patients
ACP has developed easy- to-use materials designed to help educate your patients on self-management of a wide variety of common health conditions. Order yours today!